Diploma in Information Technology

Diploma in Business Informatics

Diploma in Engineering Informatics

IT7344 (ISECT)

Tutorial 2 – General Security Concepts (Answers)

School of Information Technology
Instructions
UNCONTROLLED
Read Conklin Chapter 2 and answer the following questions: COPY

Multiple-Choice Quiz – 1, 2, 11, 13, 15

Essay Quiz – 4, 5

Multiple-Choice Quiz

1. What is the most common form of authentication used?

A.) Smart card
B.) Tokens
C.) Username/password
D.) Retinal scan

Answer: C. The username/password combination is the single most common

authentication mechanism in use today.

2. The CIA of security includes…

A.) Confidentiality, integrity, authentication
B.) Confidentiality, integrity, availability
C.) Certificates, integrity, availability
D.) Confidentiality, inspection, authentication

Answer: B. Don’t forget, even though authentication was described at great length in this
chapter, the A in the CIA of security represents availability, which refers to both the
hardware and data being accessible when the user wants it.

11. The alternative proposed by some to replace the term “hacker” (a reference to
individuals who attempt to gain unauthorized access to computer systems or networks) is…
A.) Lamer
B.) Phreaker
C.) Script kiddie
D.) Cracker

Answer: D. The alternative term proposed was cracker. Script kiddie is used by individuals
in the security community to refer to individuals with only marginal skills and who rely on
scripts created by others to accomplish their desires. Lamer is a derogative term referring
to any number of less-talented individuals.

13. Information security places the focus of security efforts on:

A.) The operating system and hardware it runs on
B.) The application programs interacting with the user
C.) The system (or security) administrators
D.) The data the systems store and process

IT3110/IT3505/IT3789/IT7437 Tutorial 2 Answers Page 1

 Diploma in Information Technology
Diploma in Business Informatics
Diploma in Engineering Informatics

Answer: D. Information security places the focus of security efforts on the data
(information).

15. The security principle whose goal it is to ensure that information is only modified by
those who have authority to change it is called…
A.) Authenticity
B.) Availability
C.) Integrity
D.) Confidentiality

Answer: C. This is the definition of integrity.

Essay Questions
4. Describe why the concept of “security through obscurity” is generally
considered a bad principle to rely on. Provide some real-world examples of where you
have seen this principle used.

Answer: Security through obscurity uses the approach of protecting something by hiding
it. Noncomputer examples of this concept discussed earlier in the textbook include hiding
your briefcase or purse if you leave it in the car so that it is not in plain view, hiding a
house key under a doormat or in a planter, or pushing your favorite ice cream to the back
of the freezer so that everyone else thinks it is gone. Other examples might include hiding
money in a coffee can and burying it, hiding money in a mattress, or hiding valuables in a
hollowed out book and placing it on a bookshelf. In most security circles, security through
obscurity is considered a poor approach, especially if it is the only approach to security.
An organization can use security through obscurity measures to try to hide critical assets,
but other security measures should also be employed to provide a higher level of
protection. For example, if an administrator moves a service from its default port to a more
obscure port, an attacker can still actually find this service; thus a firewall should be used
to restrict access to the service. Plus, most people know that even if you do shove your
favorite ice cream to the back of the freezer, someone may eventually find it.

5. Write a brief essay describing the principle of least privilege and how it can be
employed to enhance security. Provide at least two examples of environments in
which it can be used for security purposes.

Answer: Least privilege means that a subject (which may be a user, application, or
process) should have only the necessary rights and privileges to perform its task with no
additional permissions. Limiting an object’s privileges limits the amount of harm that can
be caused, thus reducing an organization's exposure to damage. Users may have access
to the files on their workstations and a select set of files on a file server, but no access to
critical data that is held within the database. This rule lets an organization protect its most
sensitive resources and helps ensure that whoever is interacting with these resources has
a valid reason to do so. Banking and accounting are two environments where this might
be employed.

IT3110/IT3505/IT3789/IT7437 Tutorial 2 Answers Page 2